>>> >> >> I think you would do well to setup a squid proxy and block outbound >> traffic for the affected machines. We've had great success with squid >> in our environment. This gives you a tremendous amount of flexibility >> on your access control, and it means you don't have to be concerned >> about which transport methods are used when updating/installing. >> Added bonus is that the squid caches your Gentoo download objects. > > Is that tough to set up? I would think an iptables solution would be > easier, but maybe that won't work out. >
Well, you'll end up using iptables anyway right? If you really want to -force- folks to get out through a proxy, that is. Since you mention that the router is a gentoo box, should be an easy one. Tough to setup Squid? Naw. Of course, it's like most things, we don't know much about your network or the scope of your requirements. For our use case, we needed the following: -forced access through the proxy -website URL blacklisting and custom redirection based on massive regex lists --Automated notification on certain 'violations' -user account login to the proxy before internet access -username tied to all proxy logs -'manager' access to log data via nifty graphs on a web server So, ours took some time. :) Ya, I know these folks were uuber paranoid, and wanted the ability to nab folks for what they felt like was inappropriate internet usage... Anyway your situation sounds much simpler. So simple in fact that just a few tweaks to the default squid.conf can provide you with a functional config. There are heaps of doco out there on configuring Squid, so you should have a look and see what you think. You can easily get a little test proxy going on a desktop or laptop to try it out. :-) Hope this helps! -- Matt
